RE: I-D ACTION:draft-schaad-dhsign-00.txt
"Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> Sun, 15 November 1998 02:15 UTC
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.8.5/8.8.7a) with ESMTP id VAA03077 for <pkix-archive@odin.ietf.org>; Sat, 14 Nov 1998 21:15:07 -0500 (EST)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id QAA10704 for ietf-pkix-bks; Sat, 14 Nov 1998 16:31:51 -0800 (PST)
Received: from doggate.exchange.microsoft.com (doggate.exchange.microsoft.com [131.107.88.55]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id QAA10700 for <ietf-pkix@imc.org>; Sat, 14 Nov 1998 16:31:50 -0800 (PST)
Received: by doggate.exchange.microsoft.com with Internet Mail Service (5.5.2232.9) id <WW0N7R9X>; Sat, 14 Nov 1998 16:34:31 -0800
Message-ID: <2FBF98FC7852CF11912A0000000000010ECB5A9F@DINO>
From: "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com>
To: 'EKR' <ekr@rtfm.com>
Cc: "IETF-PKIX (E-mail)" <ietf-pkix@imc.org>
Subject: RE: I-D ACTION:draft-schaad-dhsign-00.txt
Date: Sat, 14 Nov 1998 16:34:29 -0800
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2232.9)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@imc.org
Precedence: bulk
Eric, It appears that I need to get a new set of reviews as they all missed this. I think you are correct and there is a problem in the draft. I currently plan to remove the ephermal scheme from the draft on the next revision. jim -----Original Message----- From: EKR [mailto:ekr@rtfm.com] Sent: Friday, November 13, 1998 3:47 PM To: Jim Schaad (Exchange) Cc: IETF-PKIX (E-mail) Subject: Re: I-D ACTION:draft-schaad-dhsign-00.txt "Jim Schaad (Exchange)" <jimsch@exchange.microsoft.com> writes: > This draft is referenced from the new CMC draft so it should be of interest > to the readers of that draft. Jim, First, a meta-comment: Why do we need this at all? DH keys are suitable for computing DSA signatures. Wouldn't it be simpler just to compute a DSA signature over the data? This would eliminate the need for a common group between the sender and recipient. Secondly, I don't believe that the ephemeral scheme is strong. Provided that the attacker has access to the triplet g,p,Ys (sender's public key), it's trivial for him to compute a private key Xe such that he knows: Ye^Xe = g^(XsXe) This allows him to forge any number of signed messages Remember, computing the DH shared secret requires access to only one of the DH private keys. I hesitate to bring this up because I'm sure I'm missing something really obvious, but I sure can't see what it is. Confused, -Ekr -- [Eric Rescorla ekr@rtfm.com]
- I-D ACTION:draft-schaad-dhsign-00.txt Jim Schaad (Exchange)
- Re: I-D ACTION:draft-schaad-dhsign-00.txt EKR
- Re: I-D ACTION:draft-schaad-dhsign-00.txt Tony Bartoletti
- RE: I-D ACTION:draft-schaad-dhsign-00.txt Jim Schaad (Exchange)